BEST

PRACTICES

SECURING YOUR NETWORK BY APPLICATION

Visibility and Attack Surface Reduction

Palo Alto Networks has identified Visibility, Control, and Policy

hundreds of a pplications used to Applications lie at the core of your business and network traffic. Theyre an integral part
of how business is done. Because of that, theyre designed to be highly available to users.
slyly d
eliver threats into v
ictim To achieve this goal, applications use non-standard ports, and even hop ports by going
organizations, most of which from port to port until they find an open one, to ensure users always have access. There
is no guarantee that a given set of ports will always define an application, which is why
could have been prevented.
security policies should be applied to traffic associated with applications, instead of just
ports. Palo Alto Networks has identified hundreds of applications used to slyly deliver
threats into victim organizations, most of which could have been prevented.
Palo Alto Networks Next-Generation Firewall (NGFW) identifies traffic by application
first, using our App-ID technology, regardless of port or protocol. This allows you
to create security and usage policies based on applications and their corresponding
functions, like chat or file sharing.
Customers typically combine App-ID with our User-ID technology, which identifies
users regardless of IP address or device, to view and understand their traffic within the
context of who is accessing what on the network.

A Phased Approach to Application-Based Security

Whether youve just implemented Palo Alto Networks products or have been adminis-
tering them for years, make sure youre maximizing their full value by reviewing our best
practices for identifying and securing traffic by application.
As with any technology, there is usually a gradual approach to a complete implementa-
tion, consisting of carefully planned deployment phases meant to make the transition as
smooth as possible, with minimal impact to your end users. With this approach in mind,
weve recommended our NGFW best practices in three phases, each building on the

Palo Alto Networks | Best Practices Guide 1

 recommendations before it. The ultimate goal for your NGFW implementation should
be to end up with a robust next-generation policy based on application, for any port and
protocol.
There are two basic approaches to deploying application-based policies with App-ID:
1. Migrate existing policies from your legacy, port-based firewall.
2. Start from scratch and build policies from the ground up either in a previously unprotect-
ed network location or as a slow transition from a legacy, port-based firewall.
This chapter will speak to the recommended best practices for each approach: Migrating
Existing Policies and Starting From Scratch.

Palo Alto Networks LIVE Community App-ID

Learn more about App-ID technology

Pros Migrating Existing Policy

Conservative,
Step-by-Step
Approach
Retains Historical Protocol/Port App-ID Consolidation,
Rules Legacy Conversion, Migration User-ID Next-Generation
Content-ID
Low Risk
Low Impact

Starting from Scratch

VS
Pros
No Special Tools
Required
Easy to Create
App-ID Rules and Legacy Virtual-wire Replace legacy
Next-Generation
Eliminate Cruft behind rewall
legacy rewall
Relatively Quick

Figure 1: Migration paths

Tip: Use our Migration Tool to

speed up the migration process.
Engage our Professional Services
team to complete this process
even more quickly or to take this
task off your hands completely.
PHASE 1: APPLICATION VISIBILITY
Because App-ID technology is a standard feature of our next-generation firewalls, appli-
cation visibility is something our customers achieve simply by turning on their firewall.
Migrating existing policies:
Most of our customers deploy one of our next-generation firewalls by migrating existing
policies from their legacy firewalls. This takes the existing port-and-protocol policies and
converts them, like for like, to PAN-OS policies. When this conversion is done, youll
be running your NGFW in production, but with your port-based policy. However, even
though the firewall is running port-based policies, its still logging application data, which
you can leverage to create accurate application-based rules that parallel the legacy rules
and act as a conduit for risk reduction and rule consolidation through our unique capability
of setting application, user, content, and security parameters within a single rule.
Learn about Palo Alto Networks Migration Tool

Palo Alto Networks | Best Practices Guide 2

 Tip: Think about processes or
events that may occur less fre-
quently than your 30 days might
allow for example, an account-
ing audit which may only happen
once per year that utilizes a spe-
cific set of applications, or a major
national or international sporting
event which may occur once
every few months that utilizes a
specific streaming application.
Tip: Automated tools help
streamline much of this process
by handling hundreds of rules
at a time. However, remember
that human judgment is also an
important part of this process.
Tip: Before either your migration
to or creation of application-based
policies, consider adding rules
to selectively decrypt SSL flows
to provide further visibility into
whats really contained in that
traffic. This will allow you to simul-
taneously build rules to account
for encrypted traffic to which
you otherwise would be blind. By
decrypting traffic before building
application-based rules, youll have
more visibility into and control of
the applications being used.
Palo Alto Networks | Best Practices Guide
Starting from scratch Baseline visibility:
Dont stop here! Continuing to
You may be in a position where you want to build your
the next phase and implementing
own next-generation policy from scratch. However, application-based policies to
before you can start creating effective application-based replace legacy port-and-proto-
policies, you must first understand your organizations col-based policies is critical to
traffic flow and/or log data. realizing the full value of your Palo
Alto Networks Next-Generation
The first step is to place your NGFW in virtual-wire or
Security Platform.
transparent mode behind, or in front of, your legacy
firewall with an explicit allow-any-any rule. You wont be
enforcing any policy, but you will have visibility of all traffic within the context of applica-
tions, which will give you a baseline for building policies later on. Leaving this setup in place
for at least 30 days will give you a decent representation of your traffic mix.
Administrators Guide:
Monitoring
PHASE 2: NEXT-GENERATION POLICIES
Migrating existing policies Converting to application-based policies
After your NGFW has at least 30 days of production traffic, youll have enough logs to
accurately identify your organizations traffic mix, and you can begin migrating your legacy
rules to application-based rules. During this time, its a good idea to monitor traffic and
converted rules to make sure end users are not impacted by blocked services, for example.
Youll continue to monitor as you migrate all port-based rules to application-based rules.
Make sure to look at actual log data because there are often applications hitting certain
rules that may be surprising. The goal is to safely enable applications by making sure
youve properly enabled all legitimate applications, as well as identified and restricted
those that have no business on, or pose a danger to your network.
The best way to do this is to go rule by rule, looking at which applications are being allowed
or denied, cloning the rule, and populating the App-ID field. Then youll move the new
rule above the original and let traffic run through it for another 30-90 days to verify that
no traffic is still hitting that original rule. Once youve confirmed this, you can remove the
original, port-based rule. The most important step in the process is removing port-based
rules, so make sure this is done for every rule that has been converted.
Once all port-based rules have been removed, your policy set will primarily be applica-
tion-based, which will allow or deny traffic at the application level, even if the application
uses a non-standard port. There will likely still be a few policies that are port-based where
appropriate.
Figure 2: The bottom rule is an example of a migrated legacy policy, while the top
rule is an example of next-generation policy because it includes the
application identification information, using App-ID.
3
Tip: Combine application-
based policies with User-ID
technology to ensure that only
users who need access to certain
restricted applications actually
have access, and further reduce
your organizations risk. Introduc-
ing User-ID can be done earlier in
Starting from scratch Building App-ID policies
Once you have 30 days worth of traffic and a comprehensive representation of your
traffic, you can begin to build application-based policy. Leave the virtual wire in place
as you create your new policies, and as you build out the rule set, youll see less and less
traffic hitting the allow-any-any rule you started with.
When no legitimate traffic continues to hit the explicit allow-any-any rule, change this
into a deny-any-any rule. Youre now ready to completely replace the legacy firewall
with your NGFW.
Administrators Guide:

the process, but after you have an Set up basic security policies
application-based rule set, youll Use application objects in policy

have a much better, more orga-

nized view of which users should
PHASE 3: CONSOLIDATION, CUSTOMIZATION, AND RISK REDUCTION
be reflected in which rules.
Now that you have application-based policies in place, you may be able to consolidate the
number of policies and further build out your rule set by adding custom applications, using
the vast library of Palo Alto Networks application decoders.
Rule consolidation reduces management overhead by simplifying your view of whats al-
lowed or blocked by your NGFW. Instead of having a single rule each for application, user,
and threat protection, for example, we allow you to combine these traffic parameters into
a single policy, oftentimes significantly reducing the number of rules you must manage,
Tip: Build threat policies, such making it much easier to keep rule sets updated.
as vulnerability protection, URL
Administrators Guide:
filtering categories, and anti-
Configure custom App-IDs
malware rules and as you create
Manage custom or unknown applications
App-ID rules. This will not only
help you identify and act on
malicious content, but will also Migrating existing policies Consolidating rules
make this process more efficient, Once a rule set has been migrated to App-ID, its worth reviewing the entire policy for
opportunities to consolidate looking specifically for rules that:
as youre already going through
1. Are shadowed by other rules.
each rule.
2. Can be combined by address groups, application groups, or other methods.
3. Are no longer used.
Administrators Guide:
Search duplicated rules by name
Tip: Combine file blocking
profiles to your application- and
user-based policies by white- or
black-listing file type upload and
download restrictions to further
reduce the risk of accidental
infection and data loss.

Palo Alto Networks | Best Practices Guide 4

 Our Commitment to Support Our Customers
Palo Alto Networks is committed to ensuing a successful deployment and provides
comprehensive support through our Global Customer Services organization. We
understand fully that failure is not an option. Our support offerings and training
programs are designed to mitigate any deployment concerns you may have.
Palo Alto Networks Solution Assurance Services
Palo Alto Networks Customer Support Plans
Palo Alto Networks Consulting Services
Palo Alto Networks Educational Services
Join Palo Alto Networks LIVE Community for user discussions, tutorials, and knowledge
base articles.
PAN-OS Administrators Guide, Version 7.0 App-ID
PAN-OS Administrators Guide, Version 6.0 App-ID

Join Palo Alto Networks Fuel User Group community to connect with like-minded
professionals around the globe who are ready to discuss their hard-won best practices
and trade insights. You can also get exclusive access to subject matter experts to answer
your most challenging, security-related questions through online events, such as
webinars and Q&A sessions, and in-person events, as well.

4401 Great America Parkway
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com
2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.
com/company/trademarks.html. All other marks mentioned herein may be trademarks
of their respective companies. pan-wp-best-practices-visibility-110415